To enhance the efficiency of incident response triage operations, it is not cost-effective to defend all systems equally in a complex cyber environment. Instead, prioritizing the defense of critical functionality and the most vulnerable systems is desirable. Threat intelligence is crucial for guiding Security Operations Center (SOC) analysts' focus toward specific system activity and provides the primary contextual foundation for interpreting security alerts. This paper explores novel approaches for improving incident response triage operations, including dealing with attacks and zero-day malware. This solution for rapid prioritization of different malware have been raised to formulate fast response plans to minimize socioeconomic damage from the massive growth of malware attacks in recent years, it can also be extended to other incident response. We propose a malware triage approach that can rapidly classify and prioritize different malware classes to address this concern. We utilize a pre-trained ResNet18 network based on Siamese Neural Network (SNN) to reduce the biases in weights and parameters. Furthermore, our approach incorporates external task memory to retain the task information of previously encountered examples. This helps to transfer experience to new samples and reduces computational costs, without requiring backpropagation on external memory. Evaluation results indicate that the classification aspect of our proposed method surpasses other similar classification techniques in terms of performance. This new triage strategy based on task memory with meta-learning evaluates the level of similarity matching across malware classes to identify any risky and unknown malware (e.g., zero-day attacks) so that a defense of those that support critical functionality can be conducted.
翻译:为了提高事件响应分类操作的效率,在复杂的网络安全环境下,平等地保卫所有系统并不具备经济性。取而代之的是,优先保卫关键功能和最脆弱的系统更有意义。威胁情报对于指导安全运营中心(SOC)分析人员关注特定的系统活动,提供解读安全警报的主要上下文基础至关重要。本文探索了提高事件响应分类操作的新方法,包括应对攻击和零日恶意软件。针对快速分类不同恶意软件的解决方案已经被提出,以制定快速响应计划,减少近年来恶意软件攻击的社会经济损失,还可以扩展到其他事件响应。我们提出了一种恶意软件分类方法,可以快速分类和区分不同的恶意软件类型,以解决此问题。我们利用基于孪生神经网络(SNN)的预训练ResNet18网络,以减少权重和参数中的偏差。此外,我们的方法还包含外部任务记忆,以保留以前遇到的示例的任务信息。这有助于将经验传递给新样本,并降低计算成本,而不需要对外部记忆进行反向传播。评估结果表明,我们提出的方法的分类方面在性能方面超越了其他类似的分类技术。基于元学习的任务记忆的新分类策略可以评估跨恶意软件类型的相似度匹配水平,以识别任何有风险和未知的恶意软件(例如零日攻击),从而进行支持关键功能的防御。